(Updated May 2020)
Until about 2014, I had never had any websites hacked, however, hacking seems to be on the increase and I have had to recover a number of sites for clients recently. In fact, back in 2015 Google reported that they had noticed a 180% increase in the number of sites getting hacked (Official Google Webmaster Central Blog – 27th July 2015). More recent data from Forbes suggests that on average, 30,000 websites are hacked every day. These are typically small business sites that don’t realise they have been hacked and that they are unwittingly distributing malware.
A hacked site is obviously inconvenient, can lose you business and can take a lot of time (and cost) to fix. In some cases it can mean having to re-build the entire site from scratch again.
It seems that once a site has been attacked, the hackers keep coming back to see if they can do more damage. I had one site that was hacked through a newly identified vulnerability in a popular WordPress plugin. I fixed the site and installed security software to monitor any future attacks and since then I can see that the hackers have constantly been probing the site using brute force attacks trying to break the password to get in.
The security software I use allows me to block attackers for a period of time after a specified number of failed attempts to log in but even with this, blocking them for hours at a time, at one time I recorded around 350 attacks in just a few days from numerous different IP addresses from all around the World. And they still keep trying!
Software security is a very difficult challenge. Even the most securely written code has potential flaws in it that can allow an attacker to gain unauthorised access to a site if they can find it. The hackers set up automated “bots” that constantly trawl the Internet, looking for websites and then probing them to see what is installed and then exploiting known vulnerabilities if they find them.
It is estimated that around 35% (May 2020) of websites Worldwide are built using WordPress (a content management system) so it is obviously a popular target for hackers. Vulnerabilities can exist in the core code of WordPress or in any of the literally thousands of themes and plugins that are used to extend the functionality of the content management system.
Once a vulnerability is identified by the hackers, the original developers are constantly updating the code to “patch” it to fix the problems and try to keep up with the hackers. Once a vulnerability is patched, the hackers start looking for new ones so it is a constant battle.
One thing that the hackers rely on, in order to maximise the damage they can do, is that many website owners do not keep their software updated regularly so this can leave them wide open to attack.
Unfortunately there is no way to totally prevent your site from being hacked, all you can do is to make it as difficult as possible for the hackers to gain access.
• Only use secure passwords – use a secure password generator to produce them and use a password manager to remember them for you.
• Don’t use the same password for multiple logins – each one should be unique.
• Only install plugins and themes from trusted sources.
• Pirated themes and plugins are dangerous and often contain some nasty backdoors – just don’t use them.
• Keep all your software up to date with the latest versions – update as soon as you possibly can.
• Make sure you have an automated backup system in place in case you need to restore the site.
Be safe, not sorry.